From fa95ba331f75d73b657561b88d600a661a6daebb Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Fri, 14 Oct 2016 10:02:00 +0200
Subject: [PATCH] SONAR-8262 verify authorization on organization

---
 .../org/sonar/server/permission/ws/RemoveGroupAction.java  | 2 +-
 .../org/sonar/server/permission/ws/RemoveUserAction.java   | 2 +-
 .../sonar/server/permission/ws/RemoveGroupActionTest.java  | 7 ++++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
index 89e52894966..cee272fe693 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
@@ -79,7 +79,7 @@ public class RemoveGroupAction implements PermissionsWsAction {
       GroupIdOrAnyone group = support.findGroup(dbSession, request);
       Optional<ProjectId> projectId = support.findProject(dbSession, request);
 
-      checkProjectAdmin(userSession, projectId);
+      checkProjectAdmin(userSession, group.getOrganizationUuid(), projectId);
 
       PermissionChange change = new GroupPermissionChange(
         PermissionChange.Operation.REMOVE,
diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
index e931111f633..fedd1eab454 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
@@ -82,7 +82,7 @@ public class RemoveUserAction implements PermissionsWsAction {
       Optional<ProjectId> projectId = support.findProject(dbSession, request);
       OrganizationDto org = support.findOrganization(dbSession, request.param(PARAM_ORGANIZATION_KEY));
 
-      checkProjectAdmin(userSession, projectId);
+      checkProjectAdmin(userSession, org.getUuid(), projectId);
 
       PermissionChange change = new UserPermissionChange(
         PermissionChange.Operation.REMOVE,
diff --git a/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
index 14f5b84d038..a0d30f01d85 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
@@ -23,6 +23,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.sonar.api.web.UserRole;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.db.organization.OrganizationDto;
 import org.sonar.db.user.GroupDto;
 import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.exceptions.ForbiddenException;
@@ -316,7 +317,11 @@ public class RemoveGroupActionTest extends BasePermissionWsTest<RemoveGroupActio
   }
 
   private void loginAsAdmin() {
-    userSession.login().setGlobalPermissions(SYSTEM_ADMIN);
+    loginAsOrganizationAdmin(db.getDefaultOrganization());
+  }
+
+  private void loginAsOrganizationAdmin(OrganizationDto org) {
+    userSession.login().addOrganizationPermission(org.getUuid(), SYSTEM_ADMIN);
   }
 
 }
-- 
2.39.5